Dailydave mailing list archives
Re: how to remotely fingerprint 2k3 SP0 vs SP1 ?
From: "Hamid . K" <elite_netbios () yahoo com>
Date: Fri, 10 Jun 2005 23:32:36 -0700 (PDT)
wow ! so much usefull information , Thank you all , for supporting me specially Rich and Jean :> The time I found that some RPC ports are open on systems , the same idea came across my mind but had no idea what to to/where to begin. I had the secuityFriday PoC but to be honest never completely reviewd their paper :p and thank you Jean for scheduling service hint which will save me time . and , Dave Can you explain more about fingerprinting based on COM ojects ? any hint/paper/refrence to review ? regards -Hamid --- Dave Aitel <dave () immunitysec com> wrote:
One thing CANVAS does to determine random things is fingerprint COM objects present on remote systems. This can often tell you if a certain software package is available or not. I haven't seen anyone else do this yet, but it's not that hard... -dave Rich Smith wrote:Cheers for the explanation for the lack mstask.exeUUID's in 2k3 SP1 andthe links :) It was Urity's presentation which set me off downthe road of lookingat/implementing RPC fingerprinting in the firstplace :), after thepresentation I thought more people wouldinvestigate thetechnique.......doesn't seem like many people have,however I find itquite a useful technique in many situations. --Rich-- On Fri, 2005-06-10 at 11:37 +0200, Jean-BaptisteMarchand wrote:* Rich Smith <richard.j.smith () hp com> [10/06/05 -10:16]:-- SP1 does not show endpoint UUID data for themstask.exe whereas SP0has quite a number of entries (typically 20+).Right, in Windows Server 2003 SP1, the TaskScheduler service(mstask.exe process) does not register its RPCservices on thencacn_ip_tcp transport but only on the ncacn_nptransport (\pipe\atsvc):http://www.hsc.fr/ressources/articles/win_net_srv/ch04s09s02.htmlhttp://www.hsc.fr/ressources/breves/min_w2k3_net_srv.html.enUrity gave in 2004 a presentation on the subjectof fingerprinting systemslooking at registered RPC interfaces, you might beinterested in lookingat the RpcScan tool and the related presentation: http://www.securityfriday.com/tools/RpcScan.html Jean-Baptiste Marchand_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: how to remotely fingerprint 2k3 SP0 vs SP1 ? Hamid . K (Jun 06)
- Re: how to remotely fingerprint 2k3 SP0 vs SP1 ? Rich Smith (Jun 08)
- Re: how to remotely fingerprint 2k3 SP0 vs SP1 ? Jean-Baptiste Marchand (Jun 10)
- Re: how to remotely fingerprint 2k3 SP0 vs SP1 ? Rich Smith (Jun 10)
- Re: how to remotely fingerprint 2k3 SP0 vs SP1 ? Dave Aitel (Jun 10)
- Re: how to remotely fingerprint 2k3 SP0 vs SP1 ? Hamid . K (Jun 10)
- Re: how to remotely fingerprint 2k3 SP0 vs SP1 ? Isaac Dawson (Jun 11)
- Re: how to remotely fingerprint 2k3 SP0 vs SP1 ? MindsX (Jun 12)
- Re: how to remotely fingerprint 2k3 SP0 vs SP1 ? Hamid . K (Jun 19)
- Re: how to remotely fingerprint 2k3 SP0 vs SP1 ? Jean-Baptiste Marchand (Jun 10)
- Re: how to remotely fingerprint 2k3 SP0 vs SP1 ? Rich Smith (Jun 08)